House Oversight FISMA bill envisions beefed-up OMB role

By
Jack Moore

Rep. Darrell Issa (R-Calif.)

The House Oversight and Government Reform Committee unveiled a bill to overhaul a decade-old law detailing how federal agencies protect their computer networks from cybersecurity threats.

Reps. Darrell Issa (R-Calif.) and Elijah Cummings (D-Md.), the chairman and ranking member of the committee, respectively, introduced the legislation Monday.

The Federal Information Security Amendments Act of 2012 would reestablish the Office of Management and Budget's role — as opposed to the Homeland Security Department's — in developing and overseeing agency cybersecurity guidance.

That appears to put it at odds with competing cybersecurity bills in the Senate. One of them — the Cybersecurity Act of 2012 introduced by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Jay Rockefeller (D-W.Va.) — calls for DHS to have a larger role in overseeing agency networks under FISMA. The other — the SECURE IT Act, introduced by Sen. John McCain — directs the Commerce Secretary to issue policies and guidance governing agency cybersecurity while tasking DHS with conducting ongoing security analyses and developing a timeline for establishing continuous monitoring of federal networks.

Both bills follow the White House's July 2010 policy giving DHS more authority and responsibility when it comes to FISMA.

In contrast, the Issa-Cummings bill makes no mention of either DHS or Commerce and instead says "in general," the director of OMB will coordinate and oversee agency security policies.

Rep. Mary Bono Mack (R-Calif.) introduced Tuesday the House version of the SECURE IT Act, which mirrors the Senate bill.

Issa: OMB a 'fair arbitrator'

Issa told the Federal Drive with Tom Temin and Emily Kopp the guiding principle of the FISMA update is to not create an additional layer of bureaucracy.

"Do you cede over all of cybersecurity to this organization broadly called Homeland Security?" Issa said. "Or, do you keep the management of information and information protection more squarely within the President's direct executive authority in the Office of Management and Budget?"

The answer to that question is what separates Issa's bill from other proposals, he said. "We recognize that all of government has to work with a fair arbitrator, and OMB has a much better history than any one cabinet position could ever have," he said.

Issa said he was a fan "of OMB being bolstered up, being more capable. We think making the trains run on time requires a central agency that is not any one cabinet position."

Issa stopped short of calling for a restructuring of OMB's cyber capabilities, instead saying the agency would be given additional resources.

OMB would either directly use those resources or task them to other agencies to administer, such as the General Services Administration.

"Rather than building an internal bureaucracy, they can view this as, if you will, a dedicated outsource capability," he said.

Issa said he expected the bill to clear the Oversight Committee when the House returns from Easter recess next month and could be on the House floor the following week.

Now, he said he's waiting for the Congressional Budget Office to score the legislation's costs, particularly those around continuous monitoring.

"We often score something that we must do anyway," Issa said. "In this case, we believe that the Congressional Budget Office is going to recognize that these are costs that must be borne and not consider the act itself for scoring. If that's the case, this will be one of those win-win bills, where people realize it's a reform, whose cost is less than the cost of doing nothing."